Security is now a very important aspect of any computing system connected to the Internet. In order to provide protection from different types of security threats, a typical computing system may employ a significant number of technologies to monitor the computing system and, in some cases, perform actions to protect the computing system from identified threats or potential threats. These technologies will be referred generally throughout this specification as monitor modules. Some common monitor modules and their functions include:                Stateful firewall—An industry standard method of network connection monitoring, control and protection;        Application awareness—Inspecting network connections for proper application behavior protecting a network from common application vulnerabilities;        DHCP—Provides IP address and other network parameters to network users;        IDS—Intrusion Detection System, detects attacks;        IDP—Intrusion Detection and Prevention, detects and prevents attacks;        HIDS—Host-based Intrusion Detection systems, detects attacks and changes on the security device itself;        Service proxy and cache server—Isolates users from the Internet, controls their access and improves speed of Internet use;        Email forwarder with masking—Isolates and controls incoming or outbound Email;        WEB forwarder with masking—Isolates, protects and controls incoming or outbound WEB service requests;        Anti-SPAM—Prevents the majority of unsolicited Email requests;        Web content filter—Protects organizations from access to or from unacceptable WEB sites and content;        Anti-virus filter—Examines incoming Email and other services for the presence of viruses and removes them;        Email content filter—Controls the content of Email messages to protect against SPAM and unacceptable content;        Multiple DMZ—The ability to segregate a customer's network into isolated “De-Militarized Zones”, provides protection by isolation;        VPN Concentrator—Allows for connection from anywhere in the world to a “Virtual Private Network” that from a remote site appears as a single network segment;        VPN Initiator—Connects to other VPN concentrators;        Site-to-site VPN with full mesh option—Allows for the creation of large private network utilizing inexpensive public Internet connections. Useful for companies with small branch or remote offices/locations;        Encryption at all levels—All data transferred or stored in an encrypted or encoded format;        Honey Pot—A method to trap intruders and to track attackers;        SSH/SSHD—A secure method of communicating and managing security appliances and services;        Automatic updates via WEB—Self-maintaining, correcting, updating and reporting mechanisms;        HA/Cluster implementation—High-availability redundant capability that can grow as required depending on performance requirements;        Common web-enabled management interface—All technologies and services are managed by a common WEB based interface;        SAMBA, LDAP support—Windows network file system and user awareness;        Full identification, authentication and authorization (AAA) support—Method to ensure proper user access and logging of user connection to network resources;        Multi factor identification required for device management—More extensive methods used for administrative access to security devices for management and control;        SNMP device inspection and control—The ability to query and control devices such as routers, switches, printers, workstations and printers to gather detailed network information without the need for a device specific resident client; and        Clear text password detection—The ability to detect, log and report the use of internal or external usernames and passwords that are not encrypted (clear text).        
Monitor modules such as those described above each perform a different monitoring and/or security function and are usually provided as a separate and distinct application (or device, depending on the implementation) on the computing system. Because computing system administrators wish to select and employ only those monitor modules deemed necessary, most monitor modules are designed to be standalone modules that function independently of the existence of other monitor modules. Therefore, each monitor module independently generates and tracks various data as necessary to perform its function, regardless of whether the same data is being tracked or generated by other monitor modules.
In addition, because the developer of a monitor module cannot rely on the existence of other monitor modules or even a common data format for data generated by other data systems, most monitor modules are not designed to interface with other monitor modules or even provide data in a format useful to other monitor modules. Therefore, monitor modules are not capable of taking advantage of information known to other monitor modules or reacting to actions being performed by other monitor modules.
For example, an anti-virus filter might include a file of known viruses that it uses when screening message traffic received by the computing system. Any messages containing files that include a virus identified in the known virus file is deleted, quarantined, or otherwise acted on by the virus filter without input from, or knowledge of, the other monitor modules. Similarly, an anti-spam filter may include a list of words or other information that it uses to screen out messages received by an e-mail application. These monitor modules may report data to an administrator of the computing system indicating that viruses or spam have been detected or that actions have been taken, but the other monitor modules on the computing system are unaware of and make their own decisions independent of any such knowledge or actions. It is left to the administrator to determine from the data if another monitor module needs to be provided with this new data to more effectively perform its function.
Each disparate monitor module has its own requirements for evaluating messages received from the communication network. In the case of an anti-virus filter, the entire message is typically received before the filter makes its analysis. The same is true for the anti-spam filter. A firewall, on the other hand, can delete the packets that make up a communication as the packets arrive, preventing them from ever being passed into the computing system proper. However, the firewall has no way of predicting that a given message or communication contains a virus, is spam, is an attempt to take over the computer, or represents some other threat, so such threats are passed into the computer to be screened by the other monitor modules.
Because the monitor modules do not share information, the fact that threats are identified by one monitor module, does not benefit any of the other monitor modules. Take, for example, a situation where a remote computer is attempting to take control of a computing system. The first effort may be to infect the computing system with one of a number of viruses that allow remote control of the computing system, by sending virus-laden messages to the computing system. If the virus software catches all of the viruses, then an attempt may be made to log into the computing system as a user. If the clear text password detection system foils this attempt, an attempt may then be made to reconfigure the computing system to allow public access to restricted material, thereby testing the HIDS system. This scenario shows that if the remote computer keeps looking for weaknesses long enough, it is likely something will be found. As the monitor modules do not interface with each other, the password detection system does not have the benefit of the knowledge that there have already been repeated infection attempts from the remote computer. Similarly, the HIDS system does not know that the remote computer was the source numerous, different, and concerted attempts to take over control of the computer.
The monitor modules often report data related to identified threats and the actions taken in response to an administrator. However, it is up to the administrator to read the disparate reports and notifications and attempt to identify trends indicative of a more significant threat to the computing system. In the scenario described above it is left to the administrator to view the data from each of the monitor modules, correlate the data, determine an appropriate coordinated response by the computing system, and implement the response. Depending on the level of communications traffic and size of the computing systems, this may involve the analysis of huge amounts of data stored in multiple data logs, each in different formats and containing different types of information. The administrator may have difficulties correlating data from one monitor module to data from another monitor module, not to mention difficulties in identifying trends in the collected data.
The scenario described above used a relatively simple example where all the attacks are coming from one remote computer. Other scenarios are possible where the attacks have other, but less obvious, common characteristics such as they all have the same destination, subject line or some other attribute. Such information may not even be tracked by each monitor module and may only be determinable upon review of a collected and correlated set of data from all the monitor modules.
Administrators have a further challenge in that most attacks occur quickly. Often, by the time the administrator has determined from the data provided by the various monitor modules that a concerted attack on multiple fronts is occurring, it has either succeeded or failed. Administrators cannot analyze the data provided in time necessary to provide effective feedback to the various monitor modules.
In reality, even though a plethora of threat data exists and is being reported in real time, it is typically used after the fact to determine what occurred after a successful attack.